VUPEN Restricts Access to Dual-Use Exploits as Part of Wassenaar Arrangement

Are 0-Days and exploits going to soon to be regulated here in the US next?

I found this page over on VUPENs website interesting. Basically, they are now following the Wassenaar Arrangement that classifies their 0-days and exploits as regulated and export-controlled “dual-use” technologies. Going forward they will only sell to approved government agencies in approved countries.

The interesting thing to note is that the US is listed as a “Participating State” of this agreement as well. Does anyone know of proposed or existing laws that force the same restrictions in the US? The recently passed 2014 National Defense Authorization Act spending bill we discussed last week might just be the start.

The big question is where the government will draw the line in terms of defining “dual-use.” Will day-to-day security tools (e.g., Nessus and Nmap) fit into this category? What about a quick bash script you write up to bruteforce web application session ids? Only time will tell…

via VUPEN.com

As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).

While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN’s vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.

To answer your question, the U.S. has long had export control regimes in place that support their status as a Wassenaar signatory. If you look at the Commerce Control List in the export regulations, you’ll see a number of information security-related categories, including:

As to whether they “force” the same controls, the answer almost certainly is “it depends.”

With export controls and “dual-use” products, the devil really is in the details. Sometimes small differences in feature set, export destination, or even use case can make a difference in the status and whether a particular piece of technology falls into a controlled category or not.

It doesn’t help that some of the BIS rules can get a little Kafka-esque. For example, in the case of encryption, there are many cases where they will flat out tell you that “it is not controlled,” but that you still have a legal obligation to provide certain notices and technical information to certain parts of the U.S. Government BEFORE you ever make it available.

For all the exploit developers out there, it’s also important to remember that consulting can be considered an export, as can having non-U.S. people present in the lab in some cases. This is all in the unclassified world, to boot.

About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.